So! What on Earth is GDPR and Why the Frenzy?
Actually, it is the General Data Protection Regulation – or GDPR, as you’ve likely seen it used everywhere – came into effect on May 25, 2018. It’s a new legislative rule from the European Union passed in the interest of changing the way how personal data is collected, processed and used over the internet. It’s the most significant overhaul of legislative data protection regulation since the European Union’s 1995 Data Protection Directive. This has brought an intense and complex set of rules those when not abided can levy ginormous penalties up to 4% of companies’ global revenue.
Key Aspects of GDPR
The only motive for the implementation of GDPR is to harmonize data privacy laws across Europe, in the interest of:
- protecting personally identifiable information of all EU citizens,
- empowering them to withhold consent, request to access or delete the stored data, and raise complaints in the case of any issues, and
- reshaping the way organizations across the region approach data privacy.
How to Become GDPR Compliant?
- Companies should pseudonymize personally-identifiable data – including name, address, behavior data, contact number and so on. This scrambling of data might help companies to protect the information in the case of any leak or breach.
- Companies must explicitly explain why, how and when they are about to collect the data and how they are going to use them. Also, companies should do only after explicit consent from the user.
- Companies will have to document user personal data that they hold, sources it came from, and keep records of their data processing activities. Create and maintain a user personal data register and keep a record of every possible information possible related to the user.
- Companies handling critical information about EU citizens will have to employ a Data Protection Officer (DPO). The critical information includes political surveys, behavior monitoring and other data collection that’s carried out in large scale.
- In case of personal data leakage, companies must notify authorities and alert users no later than 72 hours after the leak was detected. So, focus on ensuring the highest level of data security and privacy when developing the application.
- Organizations will have to provide users with the right to be “forgotten,” i.e., should the user asks to delete every information of him/her, the company should do it right away – everywhere.
What are the penalties for non-compliance?
At any worst possible case, Regulators can levy a fine amount to the companies skyrocketing up to 4% of annual global turnover or 20 Million Euro, whichever is greater for breaching GDPR. Reasons for non-compliance are:
- Not having sufficient customer consent to process data;
- Violating the core of Privacy by Design concepts;
- Not capable of providing the personally-identifiable information collected, processed, or stored.
Does GDPR Impact Business Outside EU?
The GDPR not only applies to the organizations located within the EU but also to organizations located outside of the EU, provided they offer goods or services to, or monitor the behavior of, EU data subjects (data subjects is the jargon for citizens per GDPR). It applies to all companies collecting, processing, and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Why no one’s ready for it?
According to a Reuters survey, many regulators are struggling to deploy measures due to the lack of powers and necessary funding to fully enforce GDPR. The principal reason is that not every country in the EU has come up with a proper data protection law that mimics the notion of GDPR.
Also, regulators can’t simply go and sue a company like Amazon after hearing a single complaint, nor they can levy a 4 percent fine – which would be 7 Billion Euros. No one’s sure who to go after, how to proceed with the complaints, should there be a cap on complaints before penalizing a company, and the hypothetical list goes on. All we should do is to “Wait and Watch” until things become tidy.
Let’s hope that companies and regulatory bodies get to settle into the flow of things as soon as possible, for the privacy protections of GDPR to become business as usual. In the meantime, it’s just a mad scramble to keep up.
Final Thoughts on GDPR
After what has happened with Facebook and Cambridge Analytica, it’s an indeed YES to data protection online. We want our data to be protected at any cost. That said, it’s a welcoming thing that finally legislators are catching up the technological advancements. With GDPR, we hope companies would turn more responsible in handling data and seed the trust to users on safeguarding the data.